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1.  INTRODUCTION 


This  document  contains  the  Municipality’s  Governance  of  Risk  Management  and  outlines 
the  Munieipality’s  Risk  Management  Framework.  It  deseribes  the  risk  management 
processes  and  sets  out  the  requirements  in  generating  risk  management  action. 

The  ERM  process  creates  the  consciousness  at  both  political  and  administrative  levels  of 
the  Municipality’s  risk  appetite  and  profile  as  it  strives  to  aehieve  the  legislative  mandate 
of  the  Municipality  and  the  service  delivery  imperatives. 

The  essential  focus  of  the  King  III  report  on  Corporate  Governance  is  that  the  Council 
should  exercise  leadership  to  prevent  risk  management  from  becoming  a series  of 
activities  that  are  detaehed  from  the  realities  of  the  municipality’s  businesses.  The 
management  of  risks  has  evolved  from  the  management  of  financial  risks  through 
insurance  to  business  risk  management  and  recently  to  enterprise  risk  management  which 
espouse  the  management  of  risks  at  all  levels  of  the  municipality. 

The  Munieipality’s  ERM  framework  which  is  aligned  to  the  COSO  ERM  Integrated 
Eramework  and  the  National  Treasury  Risk  Management  Eramework,  is  applicable  to  all 
the  governance  and  administrative  structures  established  in  the  Municipality  in  terms  of 
either  the  applicable  legislation  or  by  way  of  formal  resolutions  of  the  Council.  The 
Municipality’s  ERM  framework  is  applieable  to  all  the  Departments  within  the 
Municipality. 

2.  THE  PURPOSE  OF  THE  RISK  MANAGEMENT  FRAMEWORK 

This  Eramework  is  primarily  developed  to  raise  awareness,  inform  and  guide  Managers 
and  Departments  on  the  Munieipality’s  approved  approach  to  risk  management. 

Its  main  aim  is  to  provide  a practical  Eramework  to  assist  managers  in  the  effective 
identification,  evaluation  and  control  of  risk  that  may  impact  upon  the  achievement  of  the 
corporate  and  service  objectives  and  priorities  that  the  organisation  has  set  itself  to 
aehieve.  In  this  way,  risk  management  is  intrinsieally  linked  to  the  organisation’s 
‘positive  aspirations  and  aehievements’  rather  than  solely  focused  on  ‘negative  faetors’. 
Staff  should  therefore  view  risk  management  across  the  organisation  as  a tool  to  support 
achievement  rather  than  simply  another  compliance  procedure. 

“If  risk  management  is  to  be  effective  there  must  be  a clear  link  between  objectives  and 
risks.  It  is,  therefore,  essential  that  risk  management  is  embedded  in  the  planning 
process.  ” 

Whilst  it  is  recognised  that  many  managers  will  have  already  been  managing  risk  on  a 
daily  basis,  more  often  than  not,  this  would  have  been  on  an  intuitive  and  instinctive 
basis. 


It  is  important  that  the  Department  Risk  Management  should  assess  the  impact  of  similar 
risks  throughout  the  Municipality,  thus  the  need  for  a consistent  Risk  Framework  and 
Policy.  A clear  over-arching  principle  of  this  Framework  is  to  develop  risk  management 
processes  and  procedures  alongside  existing  corporate  arrangements.  This  has  the  clear 
advantage  of  achieving  and  demonstrating  an  embedded  risk  management  process,  but 
also  reduces  the  need  for  additional  reporting  mechanisms. 

This  Framework  is  therefore  premised  on  the  acknowledgement  and  acceptance  of  the 
applicability  of: 

• The  Municipality’s  Governance  structure.  Protocols  and  Model 

• The  Municipality’s  Delegations  of  Authority  approved  by  Council  in  terms  of 
applicable  legislation 

• The  provision  of  the  Municipal  Finance  Management  Act,  no  56  of  2003,  in 
particular: 

o section  95  (c)  (i),  section  105, 
o section  165  (2)  (a),  (b)(iv),  and  section  166  (2)  (a)  (ii) 

as  well  as  the  Municipal  Systems  Act  (Act  32  of  2000)  and  the  Municipal 
Structures  Act  (Act  117  of  1998) 

• King  III  report  on  Corporate  Governance 


3.  ENTERPRISE  RISK  MANAGEMENT  MODEL 

The  Municipality  has  adopted  a risk  model  and  process  that  will  enable  the  embedding  of 
a sound  risk  management  practices  in  all  its  strategic  and  operational  activities.  Everyone 
must  have  a clear  understanding  of  the  roles  and  responsibilities,  the  approved 
methodologies,  and  the  integration  processes  that  have  been  adopted  by  the  Municipality 
and  they  are  required  to  apply  and  follow. 

ERM  encompasses  aligning  risk  appetite  and  strategy;  enhancing  risk  response  decisions; 
reducing  operational  surprises  and  losses;  identifying  and  managing  multiple  and  cross - 
enterprise  risks;  seizing  opportunities;  and  improving  deployment  of  capital.  It  is 
important  that  there  is  a common  understanding  of  the  term  risk  as  a pre-cursor  to  the 
review  of  risk  management,  its  benefits  and  limitations. 


4.  RISK  MANAGEMENT  PROCESS 


As  seen  in  the  diagram  below,  risk  management  is  a cyclic  process  which  requires  regular 
and  systematic  evaluation  to  deliver  a sound  decision  making  process.  This,  in  turn, 
leads  to  the  achievement  of  high  quality  services  delivered  on  a value  for  money  basis. 


RM  Process 


Risk  Identification,  Assessment  and  Prioritisation 


The  continuous  risk  management  process  involves  the  identification  of  risks,  measurement, 
analysis  and  assessment  of  the  impact  of  risks,  and  identifying  strategies  to  mitigate  the  risks  to 
acceptable  levels,  monitoring  and  communicating  the  risk  profiles,  and  integrating  risk  in  the 
decision  making  processes.  As  depicted  above,  risk  management  should  be  integrated  with 
strategic  management  and  strategy  implementation  to  ensure  that  the  Municipality  is  able  to 
monitor  achievement  of  objectives. 

The  Risk  Management  policy  is  the  starting  point  in  the  risk  management  framework  and  must 
be  prepared  to  ensure  that  risk  management  becomes  the  concern  of  line  management  and 
everyone  in  the  Municipality  and  that  risk  management  practices  are  consistent  across  the  whole 
of  the  Municipality.  Risk  assessments  at  strategic  and  operational  levels  will  be  conducted  at 
least  annually.  The  responsibility  to  ensure  that  risk  assessments  are  conducted  rests  with  the 
Municipality’s  risk  management  function,  and  the  Municipal  Manager.  The  assessment  of  risks 


requires  the  identification  of  organisational  objectives  and  strategies,  and  a continuous  analysis 
of  inherent  events  that  may  impact  on  the  achievement  of  objectives  and  strategies.  The 
Municipality  have  adopted  a common  risk  assessment  methodology  that  will  be  utilised  to  enable 
a uniform  assessment,  rating  and  prioritising  of  risks.  This  includes  the  risk  terminology,  risk 
assessment  tables,  and  the  risk  matrix  as  depicted  below. 

• Risk  assessment  can  be  performed  through  workshops,  interviews,  questionnaires  and 
surveys,  research,  control  assessments,  either  using  worst  case  scenario  analysis,  PESTEL 
analysis,  qualitative  or  quantitative  methods. 

• The  assessment  of  risks  will  be  facilitated  by  the  risk  management  functions  of  the 
Municipality.  However,  the  primary  responsibility  for  the  management  of  identified  and 
emerging  risks  lies  with  the  respective  management  of  the  Municipality  and/or  the  business 
unit. 

• The  assessment  requires  the  identification  of  the  event,  an  analysis  of  the  likelihood  of 
occurrence  and  the  associated  impact  (nature  and  extent).  Therefore  with  the  adoption  of  the 
risk  assessment  methodology,  the  same  tables  to  analyse  likelihood  of  occurrence  and  impact 
tables  must  be  utilised  throughout  the  Municipality.  The  benefits  hereof  are  that  a common 
risk  language  is  used  by  the  Departments,  and  measurements  and  prioritisation  of  risks  is 
standardised. 

• Management  is  required  to  identify  risk  mitigation  responses  in  respect  of  all  identified  risks, 
devise  action  plans  to  address  critically  and  high  risk  areas;  and  monitor  any  changes  to  the 
medium  and  low  risks. 

The  risk  management  framework  is  comprised  of  four  key  elements  as  illustrated  below: 


Identification 


• All  activities  with  the  municipality’s  business,  both 
existing  and  new  should  be  assessed  in  order  to 
identify  material  current  as  well  as  emerging  risks, 
which  threaten  the  achievement  of  objectives  or 
may  cause  material  loss  or  damage  or  business 
continuity  implications  for  the  stakeholders  or 
reputation  risks  for  the  municipality. 


Measurement 


• The  risks  associated  with  any  new  activities  will  be 
evaluated  in  order  to  determine  the  potential 
exposure  to  the  municipality. 

• All  material  existing  risks  will  be  re-evaluated  on  at 
least  an  annual  basis. 

• All  risks  will  be  evaluated  according  to  a likelihood 
and  impact  basis  on  a scale  of  1 to  5. 


Management 


Reporting 


• Appropriate  risk  management  will  enable  the 
municipality  to  both  minimize  loss  and  optimize 
opportunities. 

• The  identification  and  monitoring  of  risk  is  the 
responsibility  of  the  Department  Risk  Management 
but  Senior  Management  accepts  joint  responsibility. 

• The  Department  Risk  Management  will  co-ordinate 
the  management  system,  monitoring  of  results  and 
reporting  of  risks  to  the  Accounting  Officer,  Risk 
Management  Committee  and  the  Audit  Committee. 


• All  new  risks  must  be  reported  and  included  in  the 
municipality’s  risk  register. 


Risk  Likelihood  / Impact  assessment  criteria 


All  risks  identified  during  the  workshop  are  being  rated  by  the  participants,  against  their 
probability  and  impact  both  inherently  and  residual  ratings. 

■ Likelihood,  also  known  as  probability,  is  defined  as  the  chances  that  the  risk  will  occur 
based  on  previous  history,  management  experience  and  any  current  situation;  and 

■ Impact,  also  known  as  consequence,  is  defined  as  the  level  or  extent  to  which  the  risk 
would  affect  the  ability  of  the  business  to  deliver  its  strategy  and  objectives  if  it  were 


The  Municipality  will  use  the  risk  rating  guide  below  to  assess  all  identified  risks: 


RISK  RATING  GUIDE 


Likelihood  rating  guide 

Score 

Likelihood 

Occurrence 

5 

Common 

the  risk  is  already  occurring  or  is  likely  to  occur 
more  than  once  in  the  next  12  months 

4 

Likely 

the  risk  is  likely  to  occur  at  least  once  within  the 
next  12  months 

3 

Moderate 

the  risk  is  likely  to  occur  in  the  next  2-3  years 

2 

Unlikely 

the  risk  is  unlikely  to  occur  in  the  next  3 years 

1 

Rare 

the  risk  is  unlikely  to  occur  even  in  the  long  term 

Impact  rating  guide 

Score 

Impact 

Consequences 

5 

Critical/  catastrophic 

the  risk  will  have  a significant  impact  on  the 
achievement  of  objectives 

4 

Major 

the  risk  will  have  a high  impact  on  the 
achievement  of  objectives 

3 

Moderate 

the  risk  will  have  a moderate  impact  on  the 
achievement  of  objectives 

2 

Minor 

the  risk  will  have  a low  impact  on  the 
achievement  of  objectives 

1 

Insignificant 

the  risk  will  have  a negligible  impact  on  the 
achievement  of  objectives 

Risk  Matrix 

The  risk  matrix  below  as  per  the  risk  rating  guide  above,  will  depict  the  risk  indices  that  result 
from  assessing  the  likelihood  and  impact,  the  matching  risk  magnitude  categories  the  risk 
indices  as  high,  medium  or  low: 


RISK 

INDEX 

RISK 

MAGNITUDE 

8-14 

MEDIUM 

1-7 

LOW 

The  following  diagram  differentiates  between  inherent  and  residual  risk  exposures; 


Procedures  during  the  compilation  of  the  Risk  Register: 

> The  risk  assessment  was  conducted  in  the  form  of  workshops 

> The  following  processes  was  follow: 

> Objective  Setting. 

> Formulation  of  the  risk. 

> Description  what  effect  the  risk  would  have  on  the  objectives  of  the  municipality  should 
it  occur. 

> Determine  Inherent  Risk  (risk  before  the  implementation  of  controls). 

> Evaluate  the  likelihood  of  risk  on  a scale  from  1 to  5 as  set  above. 

> Evaluate  the  impact  of  risk  on  a scale  from  1 to  5 as  set  above. 

> Determine  risk  level  of  Inherent  risk  by  multiplying  the  likelihood  and  impact. 

> Total  1 to  7 - “Low” 

> Total  8 to  14  - “Medium” 

> Total  15  to  20 -“High” 

> Identification  of  the  existing  controls  to  mitigate  the  risk. 

> Determine  the  level  of  the  residual  risk  (risk  after  implementation  of  controls). 

(Automatic  process  as  set  out  in  the  abovementioned  slide). 

5.  OUTPUTS  AND  BENEFITS  FROM  THE  RISK  MANAGEMENT 
PROCESS 

If  a structured  risk  management  process  is  in  place  and  is  adhered  to,  a number  of 
resultant  benefits  can  be  derived  from  the  process. 

The  key  benefits  of  risk  management  include; 

• A better,  more  informed,  decision-making  process  and 

• An  ability  to  manage  the  process  of  achieving  objectives. 

This  is  particularly  relevant  in  the  context  of  the  need  to  demonstrate  best  value  and 
continuous  improvement  in  service  delivery,  especially  with  an  increasing  reliance  being 
placed  on  partnership  working. 


However  there  are  further  examples  of  recognised  benefits  that  are  direct  outputs  from  an 
effective  risk  management  process.  These  include: 


• Increased  focus  on  what  needs  to  be  done; 

• More  satisfied  citizens; 

• Better  management  of  change  programmes; 

• Supports  innovation; 

• Fewer  complaints; 

• Controlled  insurance  costs; 

• Competitive  advantage; 

• Better  quality  services; 

• Enhanced  ability  to  justify  actions  taken; 

• Delivering  best  value; 

• Protection  of  reputation;  and 

• Getting  it  right  first  time. 


In  terms  of  supporting  the  delivery  of  the  Municipality’s  services,  the  above  examples  of 
an  effective  risk  management  process  are  clearly  attractive  and  highly  desirable. 


